There was a “meteoric rise” in the sophistication of cyber attacks in 2017 as a result of techniques developed by well-funded nation states trickling down to the criminal community, according to cyber security company CrowdStrike.
Its findings are detailed in its 2018 Global Threat Report: Blurring the Lines Between Statecraft and Tradecraft.
In his foreword to the report, CrowdStrike CEO and co-founder, George Kurtz, says the result of this ‘trickle-down’ effect has been a proliferation of military-grade weaponry for cyber warfare being pushed down into the masses and commoditised.
He says the result has been a huge upsurge in attacks that are able to bypass most defences. “These attacks … are essentially immune to the traditional endpoint defence technologies that most organisations have relied on for the past 20 or more years.
“Trickle-down is not new. It’s precisely how state-sponsored research and development programs are supposed to work: Governments fund development of sophisticated technologies, and those eventually get transferred out to the private sector as products and services.”
He says it is time for the ‘good guys’ to “enlist a host of new security technologies and approaches that go beyond the simple signature-based prevention of the past.’
Examples of this trickle down effect cited in the report include EternalBlue and DoublePulsar, Windows exploits developed by the US National Security Agency and leaked by the Shadow Brokers hacker group and then “rapidly incorporated into targeted intrusion and criminal campaigns, including WannaCry and NotPetya.”
On a more positive note the report said: “The coordinated multi-agency takedowns of major eCrime actors and networks during 2017 helped balance the scales and disrupt operations of profit-driven cybercrime groups. … These actions often temporarily splinter the criminal community, as actors examine their operational security and look for alternative methods for committing their crimes.”
Hotel hacking on the rise
The report says the hospitality sector emerging in the past year as “a growing target for criminals and, in a more unsettling turn, nation-state adversary groups.” CrowdStrike says it also saw increasing attacks on US think tanks and NGOs focusing on public policy along with think tanks based in the UK specialising in international security and defence issues.
It suggests state-affiliated adversaries’ deep interest in the lodging sector could be “for tracking persons of interest while they are traveling, or to enable access to these potential victims when they use electronic devices outside the confines of protected networks.”
It adds: “It is clear that members of this industry vertical, particularly global hotel chains, are at continued risk of targeted intrusion as eCrime actors seek financial gain in exploiting hotel franchises that must manage widely dispersed locations with varying levels of security controls.”
International sports body targeted
CrowdStrike says it also saw “a significant amount of intrusion activity on the network of an organisation responsible for governing international sports competition.”
It identified the sources of this activity as being adversaries associated with the Russian Federation and China, saying: “The actors had likely been deeply embedded within the network for a long period of time, due to previously insufficient security controls, the significant prevalence of interactive activity observed on numerous endpoints, and the increasing public focus on the target, given recent doping scandals.”
Looking forward the report says the high-profile attacks in 2017 have introduced the possibility that ransomware could be used for geopolitical, and even militaristic, purposes.
“It is possible this trend of nation state ransomware has plateaued, but it is even more likely that other nations — perhaps smaller countries or even hacktivist groups — will use ransomware and pseudo-ransomware wipers to disrupt victims, eroding trust between vital businesses and their customers or between governments and their constituencies. … In 2018 and beyond, new campaigns could incorporate the latest vulnerabilities or additional tactics, techniques and procedures that have not been previously observed or associated with ransomware campaigns.”
The report details targeted attack activity, by source, from a number of countries: China, Russia, North Korea, Iran.
However CrowdStrike’s VP technology strategy, Michael Sentonas, told journalists at a briefing in Sydney that identifying the source of attacks was challenging.
Masters of misdirection
“Misdirection is something that nation-states are masters of,” he said. “The Chinese are amazing at it. The Russians invented this stuff and they do it really well. A lot of people don’t give North Korea the credit it is due. They have a lot of capability that is well advanced in this area. That is the problem with attribution because misdirection is huge.”
With this proviso the report said: “Activity from China-based adversaries targeted multiple separate countries and industry sectors in 2017. Although this broad range of interests appears disparate, information on many of the targeted government entities likely supports intelligence requirements for military or diplomatic decision-making.
“Observed targeting of other sectors — including technology, industry, aerospace, telecommunications, and energy — likely supports high-priority projects for the 13th Five Year Plan (FYP), such as the Belt and Road Initiative.”
CrowdStrike also issued a strong warning to the telecommunications sector in Southeast Asia saying it had identified adversaries associated with China exploiting telecommunications companies in Southeast Asia throughout 2017.
In one such intrusion, CrowdStrike’s threat hunting team, OverWatch, discovered that actors had compromised an internal Linux host and were using it as their primary staging point for hosting a wide array of malicious tools to enable further penetration throughout the victim’s network.
“The breadth of identified malicious behaviour across the network demonstrates how deeply this adversary had embedded itself within the victim network, and serves as a warning to the telecommunications sector regarding China’s prioritisation of targeting their industry, particularly in Southeast Asia,” CrowdStrike said.
According to the report, 39 percent of the malicious software it detected in 2017 went undetected by traditional antivirus software. Sentonas said such products had not been build to withstand cerain types of attacks.
“With the information stolen from the US Government there were playbooks on how to bypass just about every commercially available antivirus product. You could cut and paste the code.”